Add a Security Policy - Githubissues

github-learning-lab[bot] commented 3 years ago

Adding a security policy

Just like most repositories have a README.md file to provide instructions on how to contribute to the repository, a SECURITY.md file highlights security related information and instructions on how to handle security related issues and best practices.

This gives collaborators the important security information they need, but it also documents a place where maintainers can think about how they should deal with security disclosures, updates, and general security practices within this repository.

What should I include in my security policy?

Just like a README.md file, it really depends on your repository and the requirements and workflows. Here are a few common topics that are documented in a security policy:

Supported versions
How to responsibly report a security vulnerability
Security related configuration
Known security gaps and future enhancements

Step 6: Add a SECURITY.md file

Navigate to the Security tab
Click on Security Policy located in the left sidebar
Click the Start Setup button
Commit the template security policy to the new branch as selected devi-panneer-patch-1
Commit the new file and create the pull request

Alternatively, you could also create a new file in the root directory called SECURITY.md, write up a quick security policy, and open a pull request.

I'll respond in your pull request with next steps.

devi-panneer commented 3 years ago

24a57c1 (HEAD -> master, origin/master, origin/HEAD) Merge pull request #8 from devi-panneer/add-gitignore b16e40a Update .gitignore 6897d8f Merge add-wolverine-image into master 5a694fa Add .env file 6afe7ef Add wolverine image to game fe30946 Merge pull request #6 from devi-panneer/devi-panneer-patch-1 483c7c4 Create SECURITY.md 817012b Merge pull request #1 from devi-panneer/update-dependency 155bb7d Update package.json e9ae69a Change package.json file to highlight where dependency update should go 831b1d1 Add empty .gitignore file 78cfef0 Remove .env file 8f08f15 Add .env file e6e2377 Update README.md and Octocat game 528248c Initial commit

github-learning-lab[bot] commented 3 years ago

Nice, your log output is no longer showing reference to those previous commits. So, what exactly just happened?

Our commit history has been modified

You probably noticed that when you ran the git filter-branch command, Git did some rewriting to some commits in the repository's history. Since we needed to alter the commits that referenced the .env file, it altered the commit ID, and all proceeding commits that point back to those commits.

This is why you need to consider local work and branches that are based on this previous history. This is okay to run, as long as everyone contributing in the repository is aware of the situation and can plan accordingly.

Is the sensitive information gone?

Those commits no longer show in the file contents in your repository history. You can see this by navigating to your repository's commit history and clicking on the "Add .env file" commit. Notice that there are now no referenced files or content recorded.

However, we can still access the cached commit if we know the old commit ID: https://github.com/devi-panneer/security-strategy-essentials/commit/848cd8c2043f6161a4f0043bffee212777281494

Removing the old cached commits

This is where we'll need to contact the amazing GitHub Support team for assistance.

Even though we removed these commits, the historical reference to them can still be found if you know the commit ID. In a real world situation, you'll need to contact GitHub Support to perform the following:

Run garbage collection on the repository to remove these unreferenced commit(s)
Invalidate the Git cache to permanently remove any cached references

For our situation, we can skip contacting GitHub Support for this example! :smile:

devi-panneer / security-strategy-essentials

Add a Security Policy #5